Compliance In Focus Cybersecurity

With the continued threat of cyber-attacks on firms, it is important that robust cybersecurity measures are in place, which are proportionate to the nature, complexity of firms, and the sensitivity of its information and data it holds. Consequently, for smaller firms, i.e. sole traders and one-two person firms, some measures may not be applicable.  Cybersecurity can be defined as the protection of the firm’s systems, networks and data. It protects against incidents of IT attacks.  Such threats or attacks are becoming ever more prevalent, sophisticated and complex.

The advancement of IT has changed the way business is conducted by members, IT is now a key enabler of a firm’s business strategy and is no longer simply a support function. As a result, there is a heightened risk when it comes to IT systems failure and cyber ‘trigger events’ e.g. data theft or destruction. Cyber-attacks may come in two forms: Firms may be subject to a deliberate attack should they be viewed as having valuable data or the attack may be opportunistic in nature, brought about due to the discovery of a weakness in a firm’s structure.

Firms should firstly, identify and appoint a person within the firm who is responsible for IT. This person should be sufficiently senior and report to the Board (if applicable). Subsequently, the pertinent stages in any IT compliance project are the assessment of the current position (either carried out by the sole trader/appointed individual within the firm for IT or third-party service provider), carrying out a gap analysis, i.e. identifying what shortfalls exist, and remediation, i.e. action to be undertaken and new systems/measures to be put in place. Upon remediation, it is incumbent on the firm to continually monitor, audit and review the process. A firm’s cybersecurity policy should be proportionate to the risks faced by each individual firm, the basis of which should be a risk assessment.  Adequate staff training and on-going communication with staff regarding potential risks is vital.

The following are steps that can be taken by members to mitigate risks:

  • Keep anti-virus software up to date and maintain caution when opening attachments from unknown or unsolicited emails.

  • Carry out regular scans for malware and spyware.

  • Use a VPN (Virtual Private Network) to securely access your office database. This is a network that allows remote users to securely access office IT resources, such as email and the firm’s network.

  • If working without a VPN, back up your data in a secure offline manner.

  • Take inventory of which employees require full access to your entire office network and ensure that full access is not through personal devices.

  • Consider logging into your office IT system using Multi-Factor Authentication. This can include biometric reader, a unique login code sent by text or the use of an USB stick as an access key. This is particularly relevant when allowing a personal device to connect to the network. Using personal devices as work devices increases the exposure to successful attacks.

  • Consider restricting use of personal devices to email and cloud services and issue the device with a license for the same anti-malware that is used in the office. In addition, consider limiting the ability to download and copy data to that device.

  • Consider enabling Bitlocker (if the computer is Windows) so that if a device is stolen the data therein cannot be accessed.

  • Only connect via a secure private Wi-Fi connection.

  • Set all virtual meetings to private, with password-only access.

  • Ensure that laptops are encrypted, and systems installed to track and delete data from tablets and phones if they are lost or stolen.

  • Brokers Ireland would also recommend that members consider taking out Cyber Cover. Cyber insurance generally covers a firm’s liability for a data breach involving cyber-attacks.

Members should also be aware that the EU’s Digital Operational Resilience Act “DORA” entered into force on the 16th of January 2023 and will start applying on 17th of January 2025. The Regulation goal is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms against the increasing risk of cyber-attacks.

Micro and SME insurance intermediaries are not in the scope of DORA. MiFID II “opt out investment firms” are also exempted.  Large insurance intermediaries are in scope; however, DORA requires that rules should be applied in accordance with the proportionality principle, taking into account the size, the nature, the scale and the complexity of the services, activities and operations and the overall risk profile.

On the 19 of June, the European Supervisory Authorities (EIOPA, ESMA and EBA – the ESAs) opened a public consultation on 4 sets of Regulatory Technical standards (RTS) and Implementing Technical Standards (ITS) under DORA. After the consultation period, the ESAs will adopt a final version of their draft RTS and ITS which will then be adopted by the Commission and enter into force unless the European Parliament or the Council object to them within three months.  Brokers Ireland are monitoring these developments at EU level and will update members accordingly.